UIUC Firewalls

1
UIUC Firewalls

• CCSO - Communications Engineering
• Mary Stevens
• stevens3_at_uiuc.edu

2
Quick intro to Firewalls

• What is a firewall?
• Types of firewalls.
• A quick intro into how firewalls work.

3
What is a firewall?

• Think of a firewall as a system or systems put
  into place to allow or disallow traffic between 2
  or more networks.
• For a firewall to be effective it must exist as a
  single point of entry onto a network. Any
  traffic that can bypass the firewall will
  enter/leave a network without regard to the
  rules.
• A firewall itself should not be vulnerable to
  attack.

4
Types of Firewalls

• Network layer
• Generally faster
• Work on source IP, destination IP, and port
• Simple NL firewall is a router with ACLs
• Usually the most transparent to end users
• Application layer
• Proxy based
• Usually slower
• Less transparent to users

5
How do firewalls work?

• Access Control Lists (ACLs) - Control access via
  source and destination ip and service.
• Parsed in order top to bottom.
• First matching rule stops parsing.
• State - Keeping track of connection requests and
  being able to allow traffic that is in response
  to a request and deny traffic that is not in
  response to a request.

6
Firewalls at UIUC
7
No firewall Exit Configuration
8
Let's add firewalls?

• Could firewalls help?
• Is there a firewall that can handle the
  throughput that we need today and tomorrow?
• Can we remove load from routers, do the same
  access control but better?
• Is Intrusion Detection a possibility?
• Are VPNs possible?
• Increase the reliability and bandwidth in that
  center segment.
• QoS - bandwidth shaping

9
Search for Features

• Firewall speed. How fast is fast enough?
• Gig firewalls, number of flows/connections
• How do the number of rules affect speed?
• Ability to configure without NAT.
• Ability to configure open.
• Protect a large number of nodes without paying a
  high fee per node.

10
What we found

• Large number of flows and the need to provide
  room for growth pointed to Firewall Load
  Balancing
• Fastest firewalls appliance based.
• Gig firewalls very expensive, adding a redundant
  one even more so.
• Lots of firewalls want to do NAT
• Most aimed at corporate sector. Close off
  everything and only allow selected things
  through.

11
Current Plan
12
Firewalls

• Went out for bid.
• Hardware - Netscreen 100A, Foundry Server Irons
• Inserted in an open configuration. No change in
  policy. The hardware implementing the policy
  changed. Routers implemented access control
  before. Now the majority of access control is
  performed by the firewalls.
• Firewalls remember state. This is important to
  remember when we are discussing rules.

13
Firewalls

• See only traffic on off campus
• Totally internal traffic not seen, no impact on
  that.
• Load balancing works such that once a flow is
  established it will go through that firewall
  until completed.
• Important Individual machine security is still
  an important part of life cycle of each machine.
  This will not provide a significant increase in
  the security of machines on campus.

14
Why won't it fully protect my machines?

• Open nature of computing on campus. One
  department may have absolutely no need for a
  particular protocol, another may use it on a
  regular basis. Coming up with one all
  encompassing ruleset that would provide
  protective features would be extremely difficult.
• Placement is such that even with the tightest
  ruleset, other machines on campus could still
  pose a risk.
• Multiple entry points onto campus (departmental
  modems for example).

15
What else will they do?

• The netscreens have a limited IDS capability.
  Some of the IDS features are enabled.
  Port-scans,UDP- Flood, etc.
• VPNs? The fws have vpn capability.
• Limited scalability with this particular box,
  namely in user management.
• Limited ability to provide VPN services to
  multiple operating systems.
• So, alternative hardware to provide VPN solution
  to campus.

16
How will fws affect my life?

• In general, the rules are open, so what worked
  prior to the placement of the firewalls should
  work now that the firewalls are in place.
• Machine admins will still have to be vigilant
  about machine security. The firewall offers
  absolutely no protection to traffic which stays
  entirely on campus.
• Code Red protection now implemented on the
  firewalls. Protection from Code Blue as well.

17
Code Red / Blue Filters

• 1st full day of filters was 9/20 this was for
  Code Red only.
• Only filters external to internal traffic not
  internal to external.
• Filters on URL portion, not the worm contained in
  email.

• 9/20 - 10/1
• 221K total denies
• 20k avg denies per day
• 1st full day with code blue was 10/2.
• 600K denies on one day last week!

18
Code Red/Blue continued
1st day with Code blue as well as Code Red,
64,925 total URL denies Remember, no protection
from other infected hosts on campus.
19
How can my department use the firewalls?

• CCSO will be offering a firewall service plan.
  Departments can choose which group(s) they want
  to use. Must choose a group for a segment of IP
  addresses.
• Customization within the plan will not be an
  option. Obviously groups may not fit needs of
  all departments.
• Look at scalability of customization 360 nets x
  20 rules/net 7200 rules
• 4 Groups available
• Fully open
• Mostly open
• Mostly closed
• Fully closed

20
Fully Open

• Essentially this is the same connectivity a
  department currently has. All services allowed
  in, all services allowed out.
• Advantages nothing changes traditional state of
  everything allowed in and out. Good for machines
  running certain servers or servers on unusual
  ports.
• Disadvantages Computers fully open to attacks,
  scans, etc from the internet.
• This will be the default group. So if no other
  group is chosen this is the group that a network
  will be in.

21
Mostly Open

• Most services are allowed inbound, all services
  are allowed outbound.
• Disallowed inbound services snmp, icmp, dns,
  irc, finger, ldap, nntp, nfs, smtp(mail), http
• Advantages Blocks the majority of scans we are
  seeing now, while allowing the computers to
  maintain the majority of their visibility to the
  internet. Most departments would probably not
  want the blocked services visible to the internet
  anyway, with the exception of smtp and http.
• Disadvantages If there are any off- campus users
  of the disallowed services, they could no longer
  access them.

22
Mostly Closed

• Disallows all inbound services except http,
  https, imap, pop3, ssh, telnet, ftp, smtp, H.323
• Allows all outbound service requests.
• Advantages Lowers the risk for some attacks.
  Allows the department to have publicly accessible
  common internet servers. Internal users maintain
  full connectivity to the internet.
• Disadvantages Still at risk for any ports still
  open, for example the recent telnetd exploit, or
  web server exploits.

23
Fully Closed

• Denies all inbound connection attempts.
• Allows all outbound requests.
• Advantages Removes the threat to computer from
  internet based attacks. Servers placed in this
  category would not be visible to the internet, so
  the network admin has more control over the
  services that a user can run on a machine and
  have available to the internet.
• Disadvantages Departmental servers isolated from
  internet. Server machines would have to be placed
  into one of the other categories.

24
Firewall service plans continued

• Beta tested proposed groups with several
  departments.
• Wireless net will be in the fully closed
  category. Machines on wireless not able to
  provide services to the internet. But these
  machines will have fully connectivity to the
  internet.
• Allows network admin to have more control over
  which machines are offering services to the
  internet.

25
How are the firewall service plans useful?

• Nets can be divided into ip ranges and each range
  can be put into a separate group.
• A department could put machines into each of the
  groups.
• Which group a machine belongs to would depend on
  the mission of a machine.

• The Fully Closed model offers a high level of
  protection for a machine from traffic that
  originates from off campus. But allows the
  average user to still fully use the internet.
• Mostly- Open allows for protection from common
  scans.
• Mostly- Closed allows for protection on all but
  the most common internet service ports.

26
Firewall service plan availability

• Ability to subscribe to service plans starting
  Jan. 2002.
• Documents available from CCSO which must be
  filled out and returned before nets can be placed
  in the various groups.
• http//www.cso.uiuc.edu/techsupport/firewall/
• Department Head approval is a required part of
  using the firewall service groups.

27
Firewall service plan availability, contd.

• There will be work that net admins will have to
  do to prepare to use the various groups. Namely
  reorganizing machines for the various groups into
  contiguous ip-space.
• VPN service will also be of help to those nets
  wishing to limit connectivity from "external"
  sources, but provide connectivity to employees
  accessing services from off- campus service
  providers.
• Clients using the VPN software will traverse the
  firewall and will appear to be connecting from
  University IP space.
• This may allow some servers to be placed in a
  more restrictive category.

28
Important Notes

• Remember if the traffic doesn't pass through the
  firewall the firewall can't regulate the traffic.
  So
• Machines are still vulnerable to other machines
  on campus. So security measures, patches, etc.
  on individual machines are still an issue. The
  firewalls do not significantly decrease the need
  for vigilance with respect to machine security.
• IDS capability of the firewalls is rather
  limited. If you want to stop scans of machines
  on your nets, look seriously at the firewall
  groups and place machines into the appropriate
  group for the mission of a machine.

29
RPC (111)
UIUC
B
Mostly Closed
A
Fully Open
30
Questions, Comments?

• Email stevens3_at_uiuc.edu